Sending email for Sign in with Apple

When we released Micro.blog 1.7 for iOS last week with Sign in with Apple support, Micro.blog could not actually send email to Apple’s private relay server. This is an issue that has popped up on the Apple developer forums and likely affects many developers. I was so excited for Sign in with Apple that I thought it was worth shipping anyway, crossing my fingers that we could resolve it shortly after iOS 13 was out.

Apple’s private email relay server is almost completely undocumented. In this blog post I’ll describe how I got it working.

The key issue is that the “return path” of your emails must be using a subdomain that can be verified by Apple. This blog post from SendGrid describes the solution in detail. I was happy to discover that I could customize this in the settings in Mandrill as well under Settings → Sending Defaults:

Return path screenshot

Here are the steps I took:

  • Create a new subdomain. I decided to use mail.micro.blog. Set the TTL to just 1 minute, because you will need to change the DNS record multiple times during this process.
  • Initially the subdomain should be a CNAME to your email provider. Mine was set to mandrill.com.
  • Make sure you have SPF records for this new subdomain. Mandrill will walk you through this when you add a new subdomain under Settings → Domains → Tracking & Return Path Domains.
  • Start registering the new subdomain in Apple’s developer portal. Apple will check the SPF records at this point. After you click Register, download the verification file.
  • Create a new web site somewhere for your subdomain and update your DNS record to now point to that web host instead of Mandrill. The web site must support the latest encryption settings for HTTPS or it will mysteriously fail verification from Apple.
  • I put the subdomain on GitHub Pages so I didn’t need to spin up a new server somewhere for it. If you use GitHub Pages, make sure to create .nojekyll file so that the .well-known folder that Apple needs isn’t skipped.
  • Upload the apple-developer-domain-association.txt file from Apple to the new subdomain web site. Wait a few extra minutes to make sure the DNS has changed before clicking Verify at Apple.
  • Also verify your root domain name and add the from email address you will be using to send email. Here’s what my settings look like when everything is working:

Apple screenshot

And finally:

  • Change the DNS record for your new subdomain to point it back to mandrill.com.
  • If any previous emails had already bounced, remove those from Mandrill’s blacklist under Settings → Rejection Lists so they will try to send again in the future.

As I type all of this out, I still can’t believe it’s so complicated. Apple should both document this and remove as much friction as possible, for example by allowing domain names to be verified by DNS records alone and providing much more detailed error messages when things go wrong.

Manton Reece @manton
🕸💍